Privacy Policy

1. Introduction

This Privacy Policy describes how TentPilot ("we," "us," or "our") collects, uses, protects, and shares information when you use the TentPilot platform, including our website, web application, APIs, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information as described in this Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect: email address, name, password (stored as a salted cryptographic hash — we never store your plaintext password), timezone, and notification preferences.

2.2 Sensor Data

When you connect devices, we collect:

• Device metadata — identifiers, names, model numbers, and ecosystem information.
• Sensor readings — temperature, humidity, barometric pressure, CO2, air quality, power consumption, battery levels, and other data exposed by your device APIs.
• Controller state — setpoints, on/off state, and operational history for controllable devices.
• Derived metrics — calculated values such as VPD, dew point, trend direction, and averages.

Sensor data is collected at regular intervals (every 5–15 minutes depending on your plan) by polling your device manufacturer's cloud APIs.

2.3 Device Credentials

To connect your IoT devices, you provide API keys, OAuth tokens, or device-specific secrets. How we handle them:

• Encrypted at rest — Fernet symmetric encryption before storage. Encryption key stored as a server environment variable, separate from the database.
• Never stored in plaintext anywhere in our systems.
• Never logged — excluded from all application logs, error reports, and monitoring.
• Never displayed after entry — credentials are write-only.
• Stored separately from your sensor readings and account data.
• Deleted immediately when you remove a device adapter or delete your account.

2.4 Usage Data

We automatically collect session data, alert interactions, dashboard usage patterns, API usage (Business tier), and basic browser/device information.

2.5 Payment Information

Payment processing is handled entirely by Stripe, Inc. We never receive, process, or store your full card number or CVV. We receive only: name, email, billing address, last four digits, expiration date, and subscription status.

3. How We Use Your Information

3.1 Providing the Service

Polling your devices, storing and displaying data, evaluating alert rules, sending notifications, running AI trend analysis, and managing your account and billing.

3.2 AI Advisory Analysis

Your sensor data is periodically sent to an AI language model to generate advisory insights.

• What is sent: A compressed statistical summary (current values, averages, min/max, trends). Raw individual readings are not sent.
• What is NOT sent: Your credentials, API keys, email, name, phone number, payment information, or any PII.
• AI provider: Anthropic's Claude API. Per our agreement, sensor data summaries are not retained by Anthropic for model training.

3.3 Alerts and Communications

Sending threshold alerts, trend advisories, device offline notifications, daily digests, and essential account communications.

3.4 Aggregated Analytics

Analyzing anonymized usage patterns to improve the Service. We do not use your data for advertising, ad targeting, or sale to third parties.

4. How We Protect Your Information

4.1 Encryption

Credentials use Fernet encryption at rest. All connections use HTTPS/TLS. Backups are stored on encrypted cloud storage.

4.2 Tenant Isolation

Each user's data is stored in separate, isolated database files. There are no shared tables between users. Cross-tenant data access is architecturally impossible — each tenant has their own SQLite databases on disk.

4.3 Access Controls

Device credentials are write-only. Internal admin access is IP-restricted. Application logs are scrubbed of sensitive values.

5. Data Retention

Account data is retained for 90 days after termination to allow export, then permanently deleted. Device credentials are deleted immediately on removal. Payment records are retained as required by law.

6. Third-Party Services

6.1 Payment Processing

Stripe, Inc. — processes all payments. See: stripe.com/privacy

6.2 Messaging

Alerts are delivered through: Twilio (SMS), WhatsApp Business API, SendGrid (email), Telegram Bot API, and Novu (orchestration). We share only the minimum information needed for delivery. Message content never includes device credentials.

6.3 AI Analysis

Anthropic (Claude API) — receives compressed sensor data summaries only. Does not receive credentials, email, name, phone, payment info, or any PII.

6.4 Device Ecosystem APIs

We access your device manufacturer APIs (Govee, Tuya, SensorPush, Kasa, etc.) using credentials you provide. We act as your agent — we do not share your data with these ecosystems beyond what is needed to authenticate and poll.

6.5 Analytics

We use privacy-respecting, cookieless analytics. No personally identifiable information is collected, no cookies are used, and individual users are not tracked across sessions.

7. Cookies and Tracking

We use only essential cookies: a session authentication cookie and a CSRF protection token. No advertising cookies. No third-party tracking. No cross-site tracking. No fingerprinting.

8. Your Rights

8.1 Data Export

Export your sensor data anytime via dashboard CSV download, API access (Business tier), or by contacting us for a complete account export.

8.2 Account Deletion

Delete your account anytime. Credentials are deleted immediately. Account data is retained 90 days for export, then permanently deleted.

8.3 GDPR Rights (EEA Residents)

If you are in the EEA, you have rights to: access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent. Contact us to exercise these rights. Business tier customers may request a GDPR-compliant Data Processing Agreement.

8.4 California Residents (CCPA/CPRA)

You have rights to know, delete, and opt out of sale. We do not sell your personal information to third parties.

9. Children's Privacy

The Service is not intended for anyone under 18. We do not knowingly collect information from children under 18.

10. International Data Transfers

The Service is operated from the United States. If you access it from outside the US, your information will be transferred to and processed in the US.

11. Data Breach Notification

In the event of a breach, we will notify affected users by email within 72 hours, provide details of affected information and remediation steps, and notify relevant authorities as required by law.

12. Changes to This Policy

We will email you before material changes take effect and post updated policies with a revised date. Continued use after the effective date constitutes acceptance.

13. Contact

Questions about this Privacy Policy? Contact us at [email protected]